[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]

Re: Changing policies, using enforcing=0 the first time

From: Stephen Smalley <sds tycho nsa gov>
To: Forrest Taylor <ftaylor redhat com>
Cc: fedora-selinux-list redhat com
Subject: Re: Changing policies, using enforcing=0 the first time
Date: Fri, 08 Feb 2008 09:54:17 -0500

On Fri, 2008-02-08 at 07:42 -0700, Forrest Taylor wrote:
> I am running into a strange occurrence running RHEL5.1 with an updated
> policy (2.4.6-106.el5_1.3).  By default, it runs the targeted policy.  I
> install the mls and the strict policy and touch /.autorelabel.  The
> first time that I boot to one of these other policies, I get a kernel
> panic, and I have to use enforcing=0.  The strange thing is that I can
> then go back and forth between any policy without setting permissive
> mode--that is, I only have to set enforcing=0 the first time that I make
> a policy change, but subsequent times it is not required.  Does fixfiles
> change something the first time that allows the relabel to work
> subsequent times in enforcing mode?  Any thoughts?

IIRC, RHEL5 still had separate shlib_t vs. lib_t types in the strict/mls
policies, which means that when you first switch from targeted, you
can't execute shared objects in enforcing mode until you've first
relabeled.  targeted policy aliases them into a single type, and
upstream policy has done away with the distinction now as well, I
believe.

So, on the first conversion, the xattrs get reset from lib_t to shlib_t,
then they stay that way because targeted views them as identical.

-- 
Stephen Smalley
National Security Agency

Follow-Ups:
- Re: Changing policies, using enforcing=0 the first time
  - From: Forrest Taylor

References:
- Changing policies, using enforcing=0 the first time
  - From: Forrest Taylor

[Date Prev][Date Next] [Thread Prev][Thread Next] [Thread Index] [Date Index] [Author Index]